Business relationships at the corporate level involve the delivery of services and/or products, as well as the exchange of a significant amount of information, which is considered the most valuable element for an organization.
Today, globalization of relationships and networked work has brought significant benefits to companies, such as access to international markets, reduced production costs, increased competitiveness, and service quality. However, this also comes with previously unknown risks due to various technological processes that enable it.
As a result, organizations must control the risks they are exposed to by establishing standardized information security measures for all involved parties, ensuring protection throughout the value chain.
IIn this regard, the German Association of the Automotive Industry (VDA) has developed a methodology for evaluating information security uniformly in the automotive industry called TISAX (Trusted Information Security Assessment Exchange).
What is TISAX?
It is a security standard aimed at guaranteeing and accrediting applied information security, among other aspects, for suppliers related to major German automotive manufacturers.
It is based on a maturity-oriented security approach aimed at establishing standardized levels of information security in the industry, saving costs and efforts for manufacturers and suppliers, and enabling common recognition of efforts made to protect information.
Requirements for TISAX Compliance
The requirements for compliance with the TISAX standard are outlined in the current version 5.1 of the “Information Security” module of VDA, which contains all the necessary security controls applicable to companies and collaborators in the automotive industry.
VDA requirements are divided into three blocks of controls:
- Information Security: 41 security questions distributed across the following blocks:
- Information Security Policies
- Information Security Organization
- Asset Management
- Risk Management
- Assessments
- Incident Management
- Human Resources
- Physical Security and Business Continuity
- Identity Management
- Access Management
- Cryptography
- Operations Security
- Acquisition, Requirement Management, and System Development
- Supplier Relationships
- Compliance
- Protection of Prototypes: 22 questions distributed across the following blocks:
- Physical and Environmental Security
- Organizational Requirements
- Handling of Vehicles, Components, and Parts
- Requirements for Test Vehicles
- Requirements for Events and Shootings
- Data Protection: Establishing a single block with 4 questions about personal data protection.
For each control question, organizations must define the objectives to be achieved, specifying mandatory (“must”) objectives, recommended (“should“) objectives, as well as requirements for high and very high protection needs.
The following table summarizes the security objectives to be met by organizations:
| Objetivo de evaluación | Requisitos aplicables |
|---|---|
| Información de alta protección | Todos los requisitos del catálogo de criterios "Seguridad de la información" ("Requisitos (must)" y "Requisitos (should)") Adicionalmente los "Requisitos para necesidades de protección elevadas" (si procede) |
| Información de protección muy alta | Todos los requisitos del catálogo de criterios "Seguridad de la información" ("Requisitos (must)" y "Requisitos (should)") Adicionalmente los "Requisitos para necesidades de protección elevadas" y "Requisitos para necesidades de protección muy elevadas" (si procede) |
| Protección de piezas y componentes | Todos los requisitos aplicables a la “Información de alta protección”, más los requisitos del capítulo "Protección de prototipos": • Seguridad física y medioambiental • Requisitos organizacionales • Manipulación de vehículos, componentes y piezas |
| Protección de vehículos prototipo | Todos los requisitos aplicables a la “Información de alta protección”, más los requisitos del capítulo "Protección de prototipos": • Seguridad física y medioambiental • Requisitos organizacionales • Manipulación de vehículos, componentes y piezas |
| Manipulación de vehículos de prueba | Todos los requisitos aplicables a la “Información de alta protección”, más los requisitos del capítulo "Protección de prototipos": • Requisitos organizacionales • Manipulación de vehículos, componentes y piezas • Requisitos para vehículos de prueba |
| Protección en eventos y filmaciones | Todos los requisitos aplicables a la “Información de alta protección”, más los requisitos del capítulo "Protección de prototipos": • Requisitos organizacionales • Manipulación de vehículos, componentes y piezas • Requisitos para eventos y rodajes |
| Protección de datos | Todos los requisitos aplicables a la “Información de alta protección”, más los requisitos del capítulo "Protección de datos". |
| Protección categorías de datos especiales | Todos los requisitos aplicables a la “Información de protección muy alta”, más los requisitos del capítulo "Protección de datos": |
The form defining TISAX requirements must be completed according to the criteria in the table above, indicating the maturity level for each defined question. It is essential to achieve a rating of 3 or higher, based on the 6 established maturity levels:
- Level 0: Incomplete
- Level 1: Performed
- Level 2: Managed
- Level 3: Established
- Level 4: Predictable
- Level 5: Optimized
How to Get TISAX Certified?
The first step is online registration with ENX (European Network Exchange), providing essential information about the organization, including:
- Participant’s Name.
- Primary Contact.
- Participant’s Address.
- Scope of Evaluation.
- Scope Locations.
The second step involves assessment of the standard, differentiating between 3 levels:
- Level 1: Designed for suppliers who only need to complete the VDA questionnaire and publish the self-assessment.
- Level 2: Established for more complex suppliers, requiring completion of the VDA self-assessment and random verification by an audit provider via video conference or phone call.
- Level 3: Designed for suppliers handling highly sensitive external data, requiring an on-site audit by an accredited audit provider.
Finally, after the audit is completed, a report with the organization’s results is issued. If the results are satisfactory, a certification is provided. TISAX certification is valid for 3 years, and there are no annual follow-up audits to verify compliance with the standard.
How Can We Assist You with TISAX Compliance?
TISAX implementation is essential for suppliers related to the automotive industry that need to protect the information managed within their organization In this regard, GlobalSuite Solutions provides essential support for TISAX implementation, helping organizations manage security controls more efficiently.
Contact us to discover how we can help your organization meet established controls, protect your information, and improve your company’s information security!
